Severity: Medium TLP: Green Log4j Highlights Need for Better Handle on Software DependenciesSummary:
Security experts learned a lot from the fallout of Log4Shell. Most importantly, the incident highlighted the need for organizations to “understand and manage” what code is running within their software environments. Software dependencies exist in just about every enterprise product, when flaws emerge in these dependencies, organizations are left scrambling for fixes.
Third party dependencies are essential in creating modern day programs as programmers do not have to reinvent the wheel every time a new product or application is developed. By mixing and matching existing libraries and packages, software developers can build new applications more efficiently.
“According to the "2021 Sonatype State of Software Supply Chain Report," last year developers around the world pulled more than 2.2 trillion open source packages from online repositories to use in their work, representing a 73% year-over-year growth in developer downloads of open source components” (Dark Reading, 2022).
Using third party libraries is important, but it creates disaster situations when an underlying component is found vulnerable. Many prefabricated libraries are dependent on one another, which can create problems several layers deep. This can make locating and patching vulnerable libraries more difficult.
“According to the latest studies by Google's Open Source Insights Team, 80% of Java packages affected by the vulnerability in the Apache Log4j library cannot be updated directly and will require coordination between different project teams to address the flaw. This spells years of work for application security and development professionals to stamp out the risk from this widespread software weakness” (Dark Reading, 2022).
Software Bill or Materials (SBOM) needs widespread adoption to ensure future Log4Shell like incidents can be managed more effectively.
SBOMs can be thought of like a manufacturing list that car manufactures use. They show all the “ingredients” of the car, including the third parties who made said part. When a part is found defective, they can immediately know who developed the part and which cars are impacted. The same open source components can be tracked with software through the use of a SBOM.
"The key value is the ability to create a software inventory so that when an attack or vulnerability happens you have a place where you can ask 'Where is it located?,' 'Where can I get an update?,' [and] 'What do I have to take offline?' Of course, the devil is in the details. Many SBoMs are still manually created and managed. Given the frequency of software changes and the quantity of applications, it can be difficult for individuals to maintain and keep SBoMs up to date" (Dark Reading, 2022).